Hey;
Thanks for the reply..
On Thursday, September 13, 2012 8:48:30 AM UTC-5, dan (ddpbsd) wrote:
>
> I cannot get multiple email_to options working in the same block. It
> always sends the alert to the last entry.
>
I pruned it down to one email_to entry, and I'm still getting the same
error
Hey;
I'm trying to break out emails for specific hosts to specific admins and
it's not working. Here's what I have in ossec.conf:
yes
localhost
os...@myco.com
20
kcort...@myco.com
dole...@myco.com
nilwinadmin
dole...@myco.com
rvo...@m
Hi;
My client's current ossec environment has 16 UNIX systems and 1 Windows
agent. Eventually, that's going to grow to about 25-30 UNIX agents and an
unknown but healthy number of Windows. They haven't asked for it yet; but,
I'm sure it's coming that the windows admins would like to receive s
Hi;
I have a client who asked if ossec can run on hypervisors. With Dilbert in
mind, I was tempted to ask "what color do you want that database?", but
refrained.
I've used HP's virtualization tech, am familiar with Solaris's at a
conceptual level, and know next to nothing about vmware's. W
Hey;
Just to put this one to bed: I have no idea why this wasn't working. I
checked permissions, ownership, client keys, firewall, network, etc, etc,
etc. I even checked the crc checksum of the tarball that was sent up to
the AIX system. Nothing worked. I finally blasted the installation an
On Monday, September 3, 2012 3:16:56 PM UTC-5, tstoneami wrote:
>
> Hey DK;
>
> Have you gotten anywhere on this? I am also seeing this message - and am
> hoping it is the cause of the reason for my log file not getting monitored.
>
> No; not yet. I posted this on Friday so wasn't really expect
Hi;
There's just something about these decoders that I'm just not getting.
Hopefully, something fairly simple so someone can say "Hey, dummy! It's
this!" Any rate, here are two sample log messages that I'm trying to
decode:
2012-08-30 03:24:02 pop3-login: Info: Aborted login (auth failed, 1
Hey;
I'm suspecting a firewall issue, but there's an odd twist. We installed
the ossec agent on an aix 5.3 box; but, it's not able to connect to the
ossec server. On the client, we're getting the typical:
2012/08/31 16:01:21 ossec-agentd(4101): WARN: Waiting for server reply (not
started). T
Hey
My recent battle with AIX 5.3 and compilers led to two issues. During the
install, the ossec user wasn't created because /bin/false was not listed in
the "/etc/security/login.cfg" file. The second issue is /etc/init.d is
apparently *not* where AIX 5.3 keeps its init scripts.
I updated th
And, last entry for this thread, in the hopes that it'll get into the
search cache and help some other poor schmuck that has to troubleshoot a
similar issue:
As previously mentioned, I was getting errors in pthread.h. Much google
searching led to a page
(https://issues.apache.org/bugzilla/sho
On Wednesday, August 29, 2012 8:32:27 AM UTC-5, dan (ddpbsd) wrote:
>
> What other packages did you install? There have been a few AIX threads
> where that information was provided, perhaps you can look through
> those and compare.
>
> I haven't *installed* anything. Trying to use the boxes a
Hi;
Thanks for the reply. I tried to compile the simple program exactly as you
had it and got the same errors:
# gcc -o pt_test ./pt_test.c
In file included from ./pt_test.c:1:
/usr/include/pthread.h:666: error: expected ')' before '*' token
/usr/include/pthread.h:669: error: expected ')' befo
Works perfectly. Thank you, sir.
Hey;
As mentioned in other posts, I'm trying to monitor the /etc directory but
alert on /etc/passwd & shadow only if their permissions/ownership change.
The rules used to read:
syscheck,
/etc/passwd|/etc/shadow
Logging but not alerting changes to passwd/shadow
files
13
Hey;
>>Does that seem like it'll do what I want (minus permission changes which
aren't in there yet)?
The answer is yes; for the most part. There's still something amiss; but
that'll be the topic of another, hopefully shorter, post.
Thanks.
Doug O'Leary
Hi;
Here's the goal:
* I want to monitor /etc for any changes
* I want to monitor /etc/passwd and /etc/shadow for ownership, group
ownership, and permissions changes only
The basic logic being - I don't really care when people change their
passwords; but, if those files change ownership or
Hi;
Trying to install ossec agent on an old aix 5.3.0 box w/gcc 4.1.1
installed. Compile seems to get most of the way through and chokes on
'making shared' in pthread.h:
make[1]: Entering directory `/db2/crash/ossec-hids-2.6/src/shared'
gcc -c -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/var/
Hey;
Thanks for the replies; after rereading the replies a little more
carefully, I got it working. I was assuming that we could have regular
expressions in the tags and missed the ->
correction that Dan posted. Works much better now.
Thanks again for the help.
Doug O'Leary
problem somewhere in the system.'
**Alert to be generated.
Thanks for any info/hints/tips/suggests.
Doug O'Leary
On Friday, August 24, 2012 2:53:20 PM UTC-5, dkoleary wrote:
>
>
>
> 'pollkitd.*' appears no where in the log sample you provided below. I
>> think y
'pollkitd.*' appears no where in the log sample you provided below. I
> think you are probably thinking:
>
Actually, it does...
log: 'polkitd(authority=local)
Right there at the beginning of the line; however, I think you pointed out
what I was doing wrong... the '.' has to be escaped, fro
Hey
I've been getting an alert that I want to filter out; basically, a bogus
syslog message. I create a new rule in .../rules/local_rules.xml thusly:
1002
polkitd.*
Meaningless syslog message. Logging...
Even after restarting ossec, a logtest session doesn't show this rule
getting
Hi;
It now appears that quite a bit of my initial problems have been caused by
my own impatience. As others have noted, when running syscheck initially,
creates the database of files w/check sums, permissions etc. That,
apparently, takes *A LONG* time lol.
For testing, I have the syscheck fr
Hi;
I'm not overly interested in getting alerted every time someone changes
their password so, I'd like to monitor the shadow file for owner, group and
permissions only while keeping everything else in /etc monitored for
everything.
Would the following lines in syscheck do that or is this so
Hey;
Nevermind; I got it. Finally found the agent_control -l command which
showed me that there was an agent 000 for localhost. agent_control -r -u
000 says it's running syscheck locally. Still not getting the alerts that
I think I should be, but that's a different problem.
Thanks anyway.
Hi;
My ossec environment, currently, consists of only one ossec server.
That'll expand reasonably soon; however, at the moment, just got the one
server. Since I only had the one server, when I started, I did not run the
manage_agents command. After some changes to the ossec config file, I ra
Hi;
I have a client who's looking to install ossec, primarily for the integrity
checking. I'm setting up the directories now and pondering the directories
that get monitored. By default, it's the bin directories. I'm thinking of
changing those as listed below and was hoping for some feedback
Hey;
While not a direct answer, I think I have the direction in which you want
to go. I've been reading the online manual (http://www.ossec.net/doc/)
which has a section on cdb list lookups from within rules
(http://www.ossec.net/doc/manual/rules-decoders/rule-lists.html). Cdb is
'constant d
27 matches
Mail list logo
